Description

Hi,
I believe that the ZF implementation of the rich text editor dijit.Editor is based on outdated Dojo docs and is apparently insecure. In use, it logs warnings to the Firebug console about not using it with HTML Textarea tags - from the Dojo comments:
// Do not use this widget
// with an HTML <TEXTAREA> tag, since the browser unescapes XML escape characters,
// like <. This can have unexpected behavior and lead to security issues
// such as scripting attacks.

The approved method appears to be to use a div instead; however, I suspect this has the downside of not degrading gracefully in the absence of Javascript. I don't know whether the claimed security flaw is important enough to sacrifice this principle for.

The fix is to alter lines 89-92 of Zend/Dojo/View/Helper/Editor.php to:

Happened to me in IE7 - my client was complaining that when they tried change the data in the Editor field, they get the text "Array" is saved in place of the content.
Dumping the request data reveals that the data submitted is submitted as an array. Similar to what is displayed below:

Fixed in trunk, and will release with 1.10. The change is a slight BC break, but justifiable due to the security implications; however, these changes are best to introduce during a minor release when we can message how to upgrade more granularly.